Aliased dependencies are not linked correctly

[ericcornelissen]

Describe the bug

The npmx interface links to the wrong package when a package specifies a dependency through an alias (e.g., "foo": "npm:bar@1.2.3" in package.json) in the "Dependencies" section of the sidebar. See for example string-width-cjs npm:string-wi... in the preview below:

which currently links to https://npmx.dev/package/string-width-cjs but should link to https://npmx.dev/package/string-width per https://npmx.dev/package-code/@isaacs/cliui/v/8.0.2/package.json#L53.

Additional context

Example:

• For https://npmx.dev/package/@isaacs/cliui/v/8.0.2 the *-cjs dependencies link to the wrong package and should instead link to the aliased package.
• Compare that to https://www.npmjs.com/package/@isaacs/cliui/v/8.0.2?activeTab=dependencies which only links to the correct dependencies¹.

Logs

n/a

Footnotes

1. this appears to be a quite recent change because I definitely remember them linking to the alias-named package not too long ago. See also https://snyk.io/blog/exploring-extensions-of-dependency-confusion-attacks-via-npm-package-aliasing/. ↩

[MatteoGabriele]

Correct me if I'm wrong, but it should also be flagged as 4 versions behind, right?
If string-width v5 shows a 3 major versions behind warning, then string-width-cjs, pointing to string-width v4, should indicate 4 major versions behind.

[ericcornelissen]

You are correct @MatteoGabriele. My guess for why it currently doesn't show that is because it uses the full alias string as the version and probably gets confused. So rather than not flagging it, it just doesn't know the version.

To be more explicit w.r.t. this than the original report, beyond linking to the right package it should also show (and link to, etc.) the version being used rather than the full alias string.